Car Fob Hack Gets Thieves Rolling

Isn’t it wonderful to be able to click a button instead of bothering with a key to unlock your car door? Unfortunately, that small convenience can open the door, literally, to thieves looking to steal your personal belongings—or the car itself.

Academic researchers have worked up a proof of concept for a hack of a widely used keyless entry fob, which affects millions of Volkswagen, Ford and GM vehicles.

Worse, even an “unskilled adversary” can compromise the keyless entry system, using a $40 rig consisting of a battery-powered listening and jamming device. On average, it takes about a minute to unlock a door.

The necessary equipment is widely available at low cost, they said, and worse, are packaged and commercialized and ready to go in underground markets: “The attacks are hence highly scalable and could be potentially carried out by an unskilled adversary,” they noted.

The attack uses two vulnerabilities; one allows an attacker to unlock nearly every model VW made since 1995, according to researchers, while the other impacts key fobs used with Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot vehicles.

The compromise is only applicable to older fobs, Volkswagen said: “Current vehicle generation is not afflicted by the problems described.” But that leaves millions of older cars that are already in use.

As for the technical details, Kaspersky Lab researchers pointed out that both hacks use a modified Arduino radio device within a 300-foot radius of the targeted vehicle to intercept codes from a car’s key fob:

“The first involved using the eavesdropping device to recover a fixed global set of cryptographic keys used in all VW cars. Using the Arduino, researchers said they only needed to eavesdrop once while someone opened their car with a key fob to crack the code. The second vulnerability is tied to a weakness in the key fob’s cryptographic scheme called HiTag2. Researchers were able to easily crack the HiTag2 crypto system because of what they said were flaws in the algorithm. Using the Arduino radio device, researchers intercepted eight key codes used in a rolling code pattern by the key fob to open the door.